1 / 48

Servlets, Sessions, and Cookies Lecture 8

Servlets, Sessions, and Cookies Lecture 8. cs193i – Internet Technologies Summer 2004 Kelly Shaw, Stanford University. Why Java Servlets Instead of CGI?. Efficient, Convenient, Powerful, Portable, Secure, Inexpensive Lightweight threads instead of OS threads created

kemp
Download Presentation

Servlets, Sessions, and Cookies Lecture 8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Servlets, Sessions, and CookiesLecture 8 cs193i – Internet Technologies Summer 2004 Kelly Shaw, Stanford University

  2. Why Java Servlets Instead of CGI? • Efficient, Convenient, Powerful, Portable, Secure, Inexpensive • Lightweight threads instead of OS threads created • Single copy of code brought into memory for all threads versus per thread • Data (session state) can be stored across threads within servlet container • Java is portable and secure • Requires little expense once servlet container integrated with web server

  3. Servlet Structure • Java Servlet Objects on Server Side • Managed by Servlet Container • Loads/unloads servlets • Directs requests to servlets • Request → doGet() • Each request is run as its own thread

  4. HEADERS BODY Web App with Servlets GET … Servlet doGet() … … Servlet Container

  5. 5 Simple Steps for Java Servlets 1. Subclass off HttpServlet 2. Override doGet(....) method 3. HttpServletRequest • getParameter("paramName") 4. HttpServletResponse • set Content Type • get PrintWriter • send text to client via PrintWriter 5. Don't use instance variables

  6. Servlet/JSP Container • Java Servlet 2.4 • JavaServer Pages 2.0 • Tomcat is the basis for the official reference implementation

  7. HelloWorld.java import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class HelloWorldExample extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("<html>"); out.println("<head>"); out.println("<title>Hello World!</title>"); out.println("</head>"); out.println("<body bgcolor=\"white\">"); out.println("<h1>Hello World!</h1>"); out.println("</body>"); out.println("</html>"); } }

  8. RequestHeaderExample.java importjava.io.*; importjava.util.*; importjavax.servlet.*; importjavax.servlet.http.*; public classRequestHeaderExample extends HttpServlet { public voiddoGet(HttpServletRequest request, HttpServletResponse response) throwsIOException, ServletException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); Enumeration e = request.getHeaderNames(); while (e.hasMoreElements()) { String name = (String)e.nextElement(); String value = request.getHeader(headerName); out.println(name + “ = “ + value ); } } }

  9. Servlet Lifecycle(Creation) • Single instance created • init() method called • You can override init() in your subclass of HttpServlet to do some initial code.... • init() is NOT called again on further requests

  10. Servlet Lifecycle(Service Method) • On each request, the server spawns a new thread and calls service() • service() checks HTTP request type and calls appropriate doXXXX (Get, Post, Put...) • don't override service (unless you really know what you're doing)

  11. Servlet Lifecycle(doGet(), doPost()) • Real meat of the web app is here • doPost() can call doGet(), or viceversa • no doHead()... system uses headers of doGet() result

  12. Servlet Lifecycle(destroy()) • For some reason (servlet idle, etc) the server may want to remove the servlet from memory • destroy() allows you to close DB connections, wrap up, etc... • Don't count on destroy to write persistent state (server may crash before you ever get here!)

  13. Accessing Request Components • getParameter("param1") • getCookies() => Cookie[] • getContentLength() • getContentType() • getHeaderNames() • getMethod()

  14. Environment Variables • JavaServlets do not require you to use the clunky environment variables used in CGI • Individual functions: • PATH_INFO req.getPathInfo() • REMOTE_HOST req.getRemoteHost() • QUERY_STRING req.getQueryString() • …

  15. Setting Response Components • Set status first! • setStatus(int) HttpServletResponse.SC_OK... • sendError(int, String) • sendRedirect(String url)

  16. Setting Response Components • Set headers • setHeader(…) • setContentType(“text/html”) • Output body • PrintWriter out = response.getWriter(); • out.println("<HTML><HEAD>...")

  17. J2EE API • http://java.sun.com/j2ee/1.4/docs/api/index.html • HttpServletResponse, HttpServletRequest, HttpServlet, HttpSession...

  18. Developing Servlets(Start w/ baby steps) • Install Tomcat • Run Tomcat • Run examples

  19. Creating Your Own Servlet • Write new servlet (e.g. Hi.java) • Make sure Tomcat jar files are in your classpath • Compile servlet (javac Hi.java) • Edit web.xml • Restart the Tomcat Server/Servlet Container • http://<host>:8080/<webappname>/servlet/Hi

  20. Debugging • use out.println to the html • print to a socket on localhost...

  21. Five Minute Break

  22. Continuity Problem • Session: A user sits down, enters a website, does some work, exits • HTTP Stateless • Does Keep-Alive Help?

  23. Client vs. Server Side • Client Side • Store Variable=Value Bindings in HTML Page, or Cookies • Server Side • Store Variable=Value Bindings in DB/Server Memory • Store Session ID on Client Side, to identify Client

  24. Three Typical Solutions • Cookies • URL Rewriting • Hidden Fields

  25. HTTP Cookies Grab-bag • Lifetime • Session – not written to file system • Persistent – written to user preferences • Only returns cookie to requesting domain • Cookie must be specified by content • No special characters in cookie

  26. HTTP Cookies 1239865610 String sID = makeUniqueString(); Hashtable sessionInfo = new Hashtable(); Hashtable globalTable = findTableStoringSessions(); globalTable.put(sID, sessionInfo); Cookie sessionCookie = new Cookie("JSESSIONID", sID); sessionCookie.setPath("/"); response.addCookie(sessionCookie);

  27. HTTP Cookies 1239865610 String sID = makeUniqueString(); Hashtable sessionInfo = new Hashtable(); Hashtable globalTable = findTableStoringSessions(); globalTable.put(sID, sessionInfo); Cookie sessionCookie = new Cookie("JSESSIONID", sID); sessionCookie.setPath("/"); response.addCookie(sessionCookie);

  28. HTTP Cookies 1239865610 String sID = makeUniqueString(); Hashtable sessionInfo = new Hashtable(); Hashtable globalTable = findTableStoringSessions(); globalTable.put(sID, sessionInfo); Cookie sessionCookie = new Cookie("JSESSIONID", sID); sessionCookie.setPath("/"); response.addCookie(sessionCookie);

  29. HTTP Cookies 1239865610 String sID = makeUniqueString(); Hashtable sessionInfo = new Hashtable(); Hashtable globalTable = findTableStoringSessions(); globalTable.put(sID, sessionInfo); Cookie sessionCookie = new Cookie("JSESSIONID", sID); sessionCookie.setPath("/"); response.addCookie(sessionCookie);

  30. HTTP Cookies 1239865610 JSESSIONID → 1239865610 String sID = makeUniqueString(); Hashtable sessionInfo = new Hashtable(); Hashtable globalTable = findTableStoringSessions(); globalTable.put(sID, sessionInfo); Cookie sessionCookie = new Cookie("JSESSIONID", sID); sessionCookie.setPath("/"); response.addCookie(sessionCookie);

  31. HTTP Cookies 1239865610 JSESSIONID → 1239865610 PATH → / String sID = makeUniqueString(); Hashtable sessionInfo = new Hashtable(); Hashtable globalTable = findTableStoringSessions(); globalTable.put(sID, sessionInfo); Cookie sessionCookie = new Cookie("JSESSIONID", sID); sessionCookie.setPath("/"); response.addCookie(sessionCookie);

  32. HTTP Cookies 1239865610 Set-Cookie: JSESSIONID=1239865610; path=/; String sID = makeUniqueString(); Hashtable sessionInfo = new Hashtable(); Hashtable globalTable = findTableStoringSessions(); globalTable.put(sID, sessionInfo); Cookie sessionCookie = new Cookie("JSESSIONID", sID); sessionCookie.setPath("/"); response.addCookie(sessionCookie);

  33. HTTP Cookies Cookie: JSESSIONID=1239865610; // On request String sID = request.getCookie("JSESSIONID"); Hashtable globalTable = findTableStoringSessions(); Hashtable sInfo = (Hashtable) globalTable.get(sID);

  34. HTTP Cookies Cookie: JSESSIONID=1239865610; // On request String sID = request.getCookie("JSESSIONID"); Hashtable globalTable = findTableStoringSessions(); Hashtable sInfo = (Hashtable) globalTable.get(sID);

  35. HTTP Cookies 1239865610 Cookie: JSESSIONID=1239865610; // On request String sID = request.getCookie("JSESSIONID"); Hashtable globalTable = findTableStoringSessions(); Hashtable sInfo = (Hashtable) globalTable.get(sID);

  36. In-Browser Cookie Management

  37. URL Rewriting • Rewrite all URLs in response to contain SessionID • http://foo.com/servlet/cart?id=123xyz • Parse out session ID from request line • encodeURL() in HttpResponse object will rewrite session-id onto URL • Limitations • Always include ?sessionID=238423984 • e.g. http://www.amazon.com/exec/obidos/subst/home/ home.html/103-0036360-1119059

  38. URL Rewriting

  39. Hidden Form Fields • <input type=“hidden” name=“session” value=“...”>

  40. Java Servlet Solution • Session tracking API built on top of URL rewriting or cookies • Look up HttpSession object associated with current request (or create new one) • All cookie/URL rewriting mechanics hidden • Look up information associated with a session • Associate information with a session

  41. Look up Session Info HttpSession session = request.getSession(true); ShoppingCart sc = (ShoppingCart) session.getAttribute("shoppingCart"); if (cart == null) { cart = new ShoppingCart(); session.setAttribute("shoppingCart", cart); } ... // do something with your shopping cart object

  42. HttpSession Methods • public String getId() • public boolean isNew() • public long getCreationTime() • public long getLastAccessedTime() • public int getMaxInactiveInterval() • public void setMaxInactiveInterval(int secs) • public void invalidate()

  43. Associate Info w/ Session HttpSession session = request.getSession(true); session.setAttribute("referringPage", request.getHeader("Referer")); ShoppingCart cart = (ShoppingCart)session.getAttribute("previousItems"); if (cart == null) { cart = new ShoppingCart(); session.setAttribute("previousItems", cart); } String itemID = request.getParameter("itemID"); if (itemID != null) { cart.addItem(Catalog.getItem(itemID)); }

  44. Session Termination • Automatic! After a long enough interval (getMaxInactiveInterval)

  45. Session Tracking Session ID = 123XYZ Shopping Cart sc [item 1=324] Request Amazon Servlet Container

  46. Session Tracking Session ID = 123XYZ Shopping Cart sc [item 1=324] Amazon Response: Set-Cookie: sid=123XYZ Servlet Container

  47. Session Tracking Request: Set-Cookie: sid=123XYZ Session ID = 123XYZ Shopping Cart sc [item 1=324] Amazon Servlet Container

  48. Session Tracking Request: Set-Cookie: sid=123XYZ Session ID = 123XYZ Shopping Cart sc [item 1=324 item 2=115] Amazon Servlet Container

More Related